This series was principally motivated by a desire to enabl use of TLS on non-TCP transports. For x509 certificates this means we need a way to set the hostname to use for validation. This also lets us override the hostname when connecting on a TCP transport that is tunnelled or port-forwarded. It also unlocks the ability to use PSK (pre-shared keys) with UNIX sockets which would always have worked, had it not been blocked by explicit checks in NBD code.
NB, the first patch in this series is common with my corresponding migration series for TLS https://lists.gnu.org/archive/html/qemu-devel/2022-03/msg00556.html Daniel P. Berrangé (12): crypto: mandate a hostname when checking x509 creds on a client block: pass desired TLS hostname through from block driver client block/nbd: support override of hostname for TLS certificate validation qemu-nbd: add --tls-hostname option for TLS certificate validation block/nbd: don't restrict TLS usage to IP sockets tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file tests/qemu-iotests: expand _filter_nbd rules tests/qemu-iotests: introduce filter for qemu-nbd export list tests/qemu-iotests: convert NBD TLS test to use standard filters tests/qemu-iotests: validate NBD TLS with hostname mismatch tests/qemu-iotests: validate NBD TLS with UNIX sockets tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK block/nbd.c | 25 +++++--- blockdev-nbd.c | 6 -- crypto/tlssession.c | 6 ++ docs/tools/qemu-nbd.rst | 14 +++++ include/block/nbd.h | 3 +- nbd/client-connection.c | 12 +++- qapi/block-core.json | 3 + qemu-nbd.c | 25 ++++++-- tests/qemu-iotests/233 | 99 +++++++++++++++++++++++++++----- tests/qemu-iotests/233.out | 56 +++++++++++++++--- tests/qemu-iotests/241 | 6 +- tests/qemu-iotests/241.out | 3 + tests/qemu-iotests/common.filter | 9 +++ tests/qemu-iotests/common.tls | 31 +++++++++- tests/qemu-iotests/testrunner.py | 6 ++ 15 files changed, 252 insertions(+), 52 deletions(-) -- 2.34.1
